hi, I am looking to use PCR policy to seal and unseal trusted keys. I tried using the interface described in the documentation [1], but I get an unseal error at the time of a key load operation. I came across a thread [2] which is pretty much the error that I get. As per my understanding of what James had explained on that thread, the API was broken for TPM2.0 based devices. Has that since been fixed. If so, has there been a change in the user interface for sealing and unsealing the trusted keys. Here are the steps that I follow. # tpm2_createpolicy --policy-pcr --pcr-list sha256:10 --policy pcr10_bin.policy > pcr.policy # cat pcr.policy 16ef916486174ed6f68b09629d2920dd7493d0918fff1247420934c3836100d3 #keyctl add trusted kmk-pcr "new 32 keyhandle=0x81000001 hash=sha256 policydigest=`cat pcr.policy`" @u 588568314 # keyctl pipe 588568314 > kmk-pcr.blob On a reboot (or even w/o a reboot, after deleting the key) #keyctl add trusted kmk-pcr "load `cat kmk-pcr.blob` keyhandle=0x81000001 hash=sha256 policydigest=`cat pcr.policy`" @u add_key: Operation not permitted My setup is a Qemu arm64 virt platform running Debian11, linux kernel built with current master branch, and swtpm 2.0 implementation as the TPM backend. -sughosh [1] - Documentation/security/keys/trusted-encrypted.rst [2] - https://lore.kernel.org/linux-integrity/20191206212031.GE9971@xxxxxxxxxxxxxxx/T/
